American Journal of Applied Sciences 5 (7): 777-782, 2008 ISSN 1546-9239 © 2008 Science Publications

A Password-Based Key Derivation Algorithm Using the KBRP Method

1Shakir M. Hussain and 2Hussein Al-Bahadili 1Faculty of CSIT, Applied Science University, P.O. Box 22, Amman 11931, Jordan 2Faculty of Information Systems and Technology, Arab Academy for Banking and Financial Sciences, P.O. Box 13190, Amman 11942, Jordan

Abstract: This study presents a new efficient password-based strong key derivation algorithm using the key based random permutation the KBRP method. The algorithm consists of five steps, the first three steps are similar to those formed the KBRP method. The last two steps are added to derive a key and to ensure that the derived key has all the characteristics of a strong key. In order to demonstrate the efficiency of the algorithm, a number of keys are derived using various passwords of different content and length. The features of the derived keys show a good agreement with all characteristics of strong keys. In addition, they are compared with features of keys generated using the WLAN strong key generator v2.2 by Warewolf Labs.

Key words: Key derivation, key generation, strong key, random permutation, Key Based Random Permutation (KBRP), key authentication, password authentication, key exchange

INTRODUCTION • The key size must be long enough so that it can not Key derivation is the process of generating one or be easily broken more keys for cryptography and authentication, where a • The key should have the highest possible entropy key is a sequence of characters that controls the process (close to unity) [1,2] of a cryptographic or authentication algorithm . • Run length should be less than eight bits Strong key derivation has become a primary concern in (a character word length) wireless network in order to provide secure • Bits are randomly distributed throughout the key communication in a hostile environment. For example, sequence Diffie-Hellman based key exchanges establish a secure • No particular pattern can be recognized throughout communication channel between two parties by the key sequence securely negotiating a large random element in a given cyclic group, called master secret. Then, this secret is Hash function and pseudorandom function are used to derive keys for encrypting and authenticating widely used for key derivation. These two functional [3] data . These keys must be bit-strings of some specific approaches are used in PBKDF1 and PBKDF2, length uniformly distributed and used as input respectively. PBKDF2 is recommended for new parameters to symmetric ciphers (for privacy), message applications while PBKDF1 is included only for authentication codes (for authentication) and pseudo- compatibility with existing applications and is not random functions (for expansion of a seed into a longer recommended for new applications (Kal 00). A wired bit-string)[4]. equivalent privacy or wireless encryption protocol There are a number of approaches that have been (WEP) is another functional approach that is developed developed for strong key derivation such as: functional to provide security for wireless networks. However, a based[5,6,2], biometric based[7,8,9] and voice based[10,11,12]. number of techniques and programs are now available The functional based key derivation approach is often that can crack a WEP key in less than a minute. Despite used to derive one or more keys from a common secret that a wireless strong key generator has been developed value (password); therefore, it may be referred to as a to enhance wireless security such as the WLAN strong password-based key derivation[2]. key generator v2.2 by Warewolf Labs[14]. For strong cryptography, keys need to be carefully In this study a new efficient password-based key selected and must acquire some special characteristics, derivation algorithm is proposed for a strong key such as[2,7,13]: derivation, regardless of the password elements and

Corresponding Author: Shakir M. Hussain, Faculty of CSIT, Applied Science University, P.O. Box 22, Amman 11931, Jordan 777 Am. J. Applied Sci., 5 (7): 777-782, 2008 length. The algorithm utilizes the Key Based Random method referred to as Biometric Aggregation. In this Permutation (KBRP) method in[15]. In order to ensure approach, the encryption process begins with the that the binary sequence generated is hard to predict, acquisition of the required biometric samples. Features first, an important modification is introduced to the last and parameters are extracted from these samples and step in KBRP, namely the fill () step. Second, two used to derive a biometric key that can be used to further steps are added to the KBRP method to derive a encrypt a plaintext message and its header information. strong key. During the decryption process, acquisition of additional The modified KBRP method assures that the key biometric samples from which the same features and derived is of highest possible entropy (close to unity, parameters are extracted and used to produce a “noisy” since the number of 0’s and 1’s are only differing by 1). key as done in the encryption process. Next, a small set But the derived key may not provide an adequate run of permutations of the “noisy” key are computed. These length for 0’s and 1’s. Therefore, in order to satisfy a keys are used to decrypt the header information and suitable run length (RL) of 0’s and 1’s, we march determine the validity of the key. If the header is through the derived key and every time the run length is greater than RL, then the last bit in RL is replaced with determined to be valid, then the rest of the message is the subsequent bit that represents its complement. decrypted. The proposed approach eliminates the need This algorithm ensures even with weak password, a for biometric matching algorithms, reduces the cost strong key can be derived to satisfy the characteristics associated with lost keys and addresses non-repudiation mentioned above. So that user can still use their favorite issues. [11,12] password set without affecting the key strength. Monrose et al. developed a technique to The features of the keys generated using the reliably generate a cryptographic key from a user’s proposed algorithm are evaluated, analyzed and voice while speaking a password. The key resists compared with the results obtained from the WLAN cryptanalysis even against an attacker who captures all strong key generator v2.2 by Wareworlf Labs. The system information related to generating or verifying features evaluation process is done by comparing the the cryptographic key. Moreover, the technique is entropy of the derived key, maximum run length of 0's sufficiently robust to enable the user to reliably and 1's and the average run length. regenerate the key by uttering the password again. They described an empirical evaluation of their technique LITERATURE REVIEW using 250 utterances recorded from 50 users. Teoh[9] proposed a novel two-stage technique to A number of key derivation approaches have been generate personalized cryptographic keys from the face developed throughout the years, such as: functional biometric, which offers the inextricably link to its [2,5,6] [7,8,9] [10,11,12] based , biometric based and voice based . owner. At the first stage, integral transform of biometric [2] B. Kaliski proposed a functional based approach input is to discretise to produce a set of bit to derive a key from a password and other parameters representation with a set of tokenised pseudorandom such as a salt value and an iteration count. He number, coined as FaceHash. In the second stage, developed two functions for key derivation, namely, FaceHash is then securely reduced to a single PBKDF1 and PBKDF2. PBKDF2 is recommended for cryptographic key via Shamir secret-sharing. Tokenised new applications; PBKDF1 is included only for FaceHashing is rigorously protective of the face data, compatibility with existing applications and is not with security comparable to cryptographic hashing of recommended for new applications. token and knowledge key-factor. The key is constructed He defined four steps in his key derivation to resist cryptanalysis even against an adversary who functions. These are: (1) select a salt value and an captures the user device or the feature descriptor. iteration count, (2) select a length in octets for the Peyravian et al.[16] used either a ‘user Identifier’ derived key, (3) apply the key derivation function to the (userID) or information that may be used to identify the password, the salt, the iteration count and the key individual such as a user's biometric data. These data length to produce a derived key and (4) output the can be the user's fingerprints, hand geometry, iris derived key. In this approach, many numbers of keys pattern, or any other suitable biometric identification. may be derived from a password by varying the salt. Then such user ID-based or biometric-based key or Costanzo[7] proposed a biometric key derivation random number generated based on their algorithms approach for generating a cryptographic key from an may be used in asymmetric-key cryptographic systems individual’s biometric for use in proven symmetric (such as the RSA) or the symmetric-key cryptographic cipher algorithms. The proposed approach uses a systems (such as the DES). 778 Am. J. Applied Sci., 5 (7): 777-782, 2008

THE PROPOSED KEY DERIVATION P: array holds permutation with ALGORITHM Values 1 to N

Here we present a description of the proposed key KEY: key (string of bits) of size N derivation algorithm. It utilizes the KBRP method[15]; For (i = 1 to N) therefore, we first provide a brief description of this KEY[i] = P[i] MOD 2 method followed by a detail implementation of the KEY[P[1]] = NOT KEY [P[1]] proposed algorithm.

KBRP METHOD Fig. 1: Algorithm for the derive() step

Key Based Random Permutation (KBRP) is a KEY: key (string of bits) of size N. method that generates one permutation of size N out of [15] RL: run length set to 4 N! permutations . This permutation is generated from Bits0: counter holds consecutive 0 bits a certain key (password) by considering all elements of Bits1: counter holds consecutive 1 bits the password in the generation process. The while KEY contain run length > RL permutation is stored in one-dimensional array, P, of set Bits0, Bits1 to 0 size N. The KBRP method consists of three consecutive count Bits0 in KEY steps: init (), eliminate () and fill (). count Bits1 in KEY The first step, init (), initializes an array of size N if (Bits0 > RL) with elements from the given password. It takes the swap one 0 bit with the first following ASCII code of each element in the password and 1 bit in KEY storing them in the array consecutively. If the password set Bits0 to 0 provides less than N elements, the unfilled elements are if (Bits1 > RL) derived by adding two consecutive values, starting at swap one 1 bit with the first following the first element of the array until all unfilled elements 0 bit in KEY set Bits1 to 0 are set to values. Finally, the mod operation with respect to N+1 is calculated for each element, so that all values are set within the range 1 to N. Fig. 2: Algorithm for the certify() step The second step, eliminate (), is to eliminate the similar values by replacing them with zero and keep algorithm, in order to obtain the highest acceptable only one value out of these similar values. Last step, fill entropy (close to unity), only one bit is complimented. (), is to replace all zero values with values in the range This bit is chosen according to the value of the element 1 to N that are not exist in the array. The resulted array number one in the permutation array, so that the derived is now representing the permutation. key depends on the password elements entered and different keys can be derived depending on the position THE PASSWORD-BASED KEY DERIVATION of inverted bit. The drive () step is performed to ensure ALGORITHM that bits are randomly distributed throughout the binary key sequence. The proposed algorithm consists of five steps. Figure 1 outlines the procedure of the key These are: init (), eliminate (), fill (), derive () and derivation step. However, this step will not ensure that certify (). The first three steps are similar to those in the the derived key satisfies the run length requirement for KBRP method explained above. a strong key. For this reason, we use step 5 to certify The forth step, derive (), derives the key from the the key. permutation P generated from the KBRP method by The fifth step, certify (), takes the outcome of the performing mod 2 operation for each element in P. This forth step and check the run length for the two binary ensures that each element in P will have either 0 or 1 digits 0 and 1 to make sure that the run length for each and the number of 0's and 1's are even, since N is of them is not more than a particular value, r. To always an even number. To satisfy one of the achieve this objective without varying the entropy, the requirements of a strong key by do not use an equal binary sequence is checked and once the run length number of 0’s and 1’s, we invert one or more bits of the equal to r, the rth+1 bit is swapped with its next same value. These bits can be selected randomly or complement bit (here we use r = 4). Fig. 2, shows the according to a particular procedure. However, in our algorithm for the certify () step. 779 Am. J. Applied Sci., 5 (7): 777-782, 2008

Table 1: 40-bit derived keys for various passwords ILLUSTRATIVE EXAMPLES Password 40-bit derived key aaaa A892236DB6 6927545F71 The five steps forming the proposed algorithm are KBRP 63276B3867 2B313E2650 implemented in a small code using C++ language. The 1234 0DAF1EEF10 5A7934265E code takes as an input any character set (password) and computer C4B0891DDE 614D756356 output a binary key that has all features of a strong key; success246 E2645E4C96 376930787E such a highest possible entropy, a run length of both 0's and 1's is less than or equal to r (4

Table 3: 128-bit derived keys for various passwords • Password of 4 numeric values (1234) Password 128-bit key • Password of 8 different letters (computer) aaaa 49DA7BB4F776EC9EE6762264B0896110 • Password of 10 different alphanumeric characters 7A7B365F4E523A2A3E2032242B427746 (success246) KBRP 63223AE4753350A599772170E332EB5B 3A6977547247717A575B623A20656835 1234 12DC2113152D3C4DA93DDBD34E9EF190 The results for 40, 104, 128 and 232 bits key 55506D39522B2726673C237032375E3A lengths are presented in Table 1-4, respectively. The computer F4B0891DD556112C2E99C4B09BCED3DD derived keys are compared with those obtained from the 2E31253644335157385D2D5A69302252 WLAN strong key generator program v2.2 by success246 EEBA5275B663512C21A3730C2D13ADAF [14] 6750655772476453712766455F7A7D66 Warewolf Labs in Table 5-8. The results show that the keys derived using the proposed algorithm always have the maximum

Table 4: 232-bit derived keys for various passwords acceptable entropy, a controlled run length for both 0’s Password 232-bit key and 1’s of not more than a particular value (in this case aaaa ED89D8791EC223C869EEDB8761627 r=4) for all key lengths and an acceptable average run 13D3B1B85E5844B0B8F113AEC3784 length. On the other hand, the tests show that for the 525A72613B5D445F75597C6F57247 Warewolf program, the run length may be more than 8 3205D5F2451243A4771735F31623E for long keys. KBRP 632F32E72939EE8727263AF48F6A8 EBD9C48E30DA786943846622E8D8C 2C314C5A5A2C4A216B58466C55726 CONCLUSION 35540245D6131437A584A7125652F 1234 EEE258422896113CB0896110A6D3D This study presents a new functional password- DE32D3DDA7BB7B31CC242F27B27BB based strong key derivation algorithm using the key 4170242D665145287839484227476 36A202B5E4E5330493C7A5F617749 based random permutation (KBRP) method. The KBRP computer 12225769EED3DDA7BB4F769EED3DD method consists of three computational steps (init (), 88E1371ECD8F4B0896112C2258448 eliminate (0 and fill () steps) to generate a permutation 33346D41526F746B2B61493378512 P of size N out of N! possible permutations. Two other 6655769474D6171335E3E2A733D5D success246 F5BB7AC58BC31849D657A61911553 computational steps (derive () and certify () steps) are 573DE584498C8630CF76DACC642F3 added to process the outcome of the KBRP method to 2246757C483C5F3C5B7A40767D3A7 derive a key that meets all the features of a strong key. 84E6E6D4D472D58366664294F5E74 In particular, the derived key has a maximum 780 Am. J. Applied Sci., 5 (7): 777-782, 2008

Table 5: A comparison between the proposed algorithm and the WLAN strong key generator v2.2 by Warewolf Labs for 40-bit key length Password Entropy No of 0’s/1’s Max RL 0’s/1’s Ave RL 0’s/1’s aaaa 0.9982 21/19 3/2 1.62/1.46 0.9982 19/21 3/5 1.58/1.75 KBRP 0.9982 19/21 4/3 1.90/2.10 0.9837 23/17 4/5 2.09/1.70 1234 0.9982 19/21 4/4 2.11/2.63 1.0000 20/20 4/4 1.67/1.82 computer 0.9982 21/19 4/4 2.10/1.90 1.0000 20/20 4/3 1.43/1.54 success246 0.9982 21/19 3/4 1.91/1.73 0.9982 19/21 5/6 2.11/2.63

Table 6: A comparison between the proposed algorithm and the WLAN strong key generator v2.2 by Warewolf Labs for 104-bit key length Password Entropy No of 0’s/1’s Max RL 0’s/1’s Ave RL 0’s/1’s aaaa 0.9997 51/53 4/4 1.82/1.96 0.9989 50/54 5/5 1.56/1.69 KBRP 0.9997 51/53 4/4 1.70/1.83 0.9957 56/48 5/6 2.00/1.71 1234 0.9997 53/51 4/4 1.96/1.82 0.9783 61/43 7/4 2.35/1.72 computer 0.9997 53/51 4/4 1.96/1.82 0.9957 48/56 3/5 1.60/1.87 success246 0.9997 51/53 4/4 1.65/1.71 0.9976 55/49 5/6 1.96/1.82

Table 7: A comparison between the proposed algorithm and the WLAN strong key generator v2.2 by Warewolf Labs for 232-bit key length Password Entropy No. of 0’s/1’s Max RL 0’s/1’s Ave RL 0’s/1’s aaaa 0.9998 51/53 4/4 1.85/1.97 0.9984 67/61 7/5 1.97/1.85 KBRP 0.9998 65/63 4/4 1.81/1.75 0.9998 65/63 6/4 1.76/1.70 1234 0.9998 65/63 4/4 1.88/1.85 0.9984 67/61 6/4 1.86/1.74 computer 0.9998 63/65 4/4 1.82/1.84 0.9857 73/55 6/3 1.87/1.45 success246 0.9998 63/65 4/4 1.75/1.76 0.9984 61/67 5/5 1.65/1.86

Table 8: A comparison between the proposed algorithm and the WLAN strong key generator v2.2 by Warewolf Labs for 232-bit key length Password Entropy No. of 0’s/1’s Max RL 0’s/1’s Ave RL 0’s/1’s aaaa 0.99995 117/115 4/4 2.17/2.13 0.99995 115/117 6/5 1.80/1.86 KBRP 0.99995 117/115 4/4 1.98/1.98 0.98623 132/100 8/4 1.91/1.45 1234 0.99995 115/117 4/4 1.98/1.98 0.98790 131/101 7/5 2.15/1.66 computer 0.99995 115/117 4/4 1.89/1.95 1.00000 116/116 5/5 1.71/1.71 success246 0.99995 115/117 4/4 1.89/1.89 0.99979 114/118 7/5 1.90/2.00 acceptable entropy, the number of 0’s and 1’s both 0’s and 1’s and a satisfactory average run may be set to differ by a specific value (in length. These key features are validated against this work it is set to differ by 1 only, a key features generated using a standard WLAN controlled maximum run length for strong key generator v2.2 from Warewolf Labs.

781 Am. J. Applied Sci., 5 (7): 777-782, 2008

ACKNOWLEDGEMENTS 8. Uludag, U., S. Pankanti, S. Prabhakar and A. Jain, 2004. Biometric Cryptosystems: Issues and This study received financial support towards the Challenges. Proceedings of the IEEE, Vol. 92. cost of its publication from the Deanship of Research 9. Teoh, A.B., D.C. Ngo and A. Goh, 2004. and Graduate Studies at Applied Science University, Personalised Cryptographic Key Generation Based on FaceHashing. Computers and Security, Amman - Jordan. 23: 606-614. 10. Monrose, F., M.K. Reiter, Q. Li, D. Lopresti REFERENCES and C. Shih, 2002. Towards Voice Generated Cryptographic Keys on Resource Constrained 1. Chevassut, O., P.A. Fouque, P. Gaudry and Devices. Proceedings of the 11th USENIX Security D. Pointcheval, 2005. Key Derivation and Symposium. Randomness Extraction. 11. Monrose, F., M.K. Reiter, Q. Li and S. Wetzel, 2. Kaliski, B., 2000. Password-Based Cryptography 2001. Cryptographic Key Generation From Voice. Specification Version 2. Network Working Group, Proceedings of the IEEE Conference on Security RFC 2898-PKCS#5, and Privacy, USA. http://www.faqs.org/rfcs/rfc2898.html 12. Monrose, F., M.K. Reiter, Q. Li and S. Wetzel, 3. Diffie, W. and M.E. Hellman, 1976. New 2001. Using Voice to Generate Cryptographic Directions in Cryptography. IEEE Transactions on Keys. Speech Recognition Workshop, Greece. Information Theory, 22: 644-654. 13. Roginsky, A., 2004. A New Method for Generating 4. Bellare, M., R. Canetti and H. Krawczyk, 1996. RSA Keys. International Business Machines Keying Hash Functions for Message Consulting Group. 14. Elliott, C., 2005. WLAN Strong Key Generator Authentication. In Crypto ’96, LNCS 1109, v2.2 by Warewolf Labs. Warewolf Labs, Warewolf Springer-Verlag, Berlin, pp: 1-15. Website. 5. Dodis, W., R. Gennaro, J. Hastad, H. Krawczyk 15. Hussain, S.M. and N.M. A-Ajloni, 2006. Key Base and T. Rabin, 2004. Randomness Extraction and Random Permutation (KBRP). J. Computer Sci., Key Derivation Using the CBC, Cascade and 2: 419-421. HMAC Modes. Proceedings of Crypto ’04, LNCS, 16. Peyravian, M., S.M. Matyas, A. Roginsky and Springer-Verlag, Berlin, pp: 494-510. N. Zunic, 1999. Generating User-Based 6. Zorn, G., 2001. Deriving Keys for Use with Cryptographic Keys and Random Numbers. Microsoft Point-to-Point Encryption (MPPE). Computers and Security, 18: 619-626. Network Working Group. 7. Costanzo, C.R., 2004. Biometric Cryptography: Key Generation Using Feature and Parametric Aggregation. School of Engineering and Applied Sciences, Department of Computer Science, George Washington University.

782